Company logoHelp Center
Visit www.threatlocker.com

Real-Time Unified Audit Log File for Linux

2 min. readlast update: 06.11.2026

This guide will explain how to enable the Real-Time Unified Audit (UA) Logs feature on a Linux system using the ThreatLocker CLI tool (threatlockerctl).

Prerequisites

Before enabling the Real-Time Unified Audit log file, confirm the following:

  • The ThreatLocker agent is installed on the Linux machine.
  • You have sudo or root privileges.
  • You have terminal access to the Linux machine.
  • The machine has network connectivity to ThreatLocker services.

Procedure

  1. Open a Terminal

Sign in to the Linux machine and open a terminal session.

  1. Verify the CLI Option Is Available

Run the following command:

sudo threatlockerctl --help

Review the available options and confirm that the following option is listed:

--real-time-ua {enable|disable} [all]

If this option is not listed, verify that the ThreatLocker agent is installed and up to date.

  1. Enable Real-Time Unified Audit Logging

Run the following command:

sudo threatlockerctl --real-time-ua enable all

The optional parameter ‘all’ will enable baseline logs in the Real Time Unified Audit; by default, these logs are not saved.

  1. Authenticate

When prompted, enter the sudo password for the Linux machine.

  1. Confirm Successful Enablement

After the command runs successfully, the expected response is:

Server response: 0 Success

Log Location

Once Real-Time Unified Audit logging is enabled, logs are written to the following location:

/var/log/threatlocker-ua/realtimeua.log

How to Disable Real-Time Unified Audit Logs

To disable Real-Time Unified Audit Logs, run:

sudo threatlockerctl --real-time-ua disable all

Troubleshooting

If Real-Time Unified Audit Logs do not enable successfully, check the following:

  1. Confirm the ThreatLocker Agent Is Installed

Verify that the ThreatLocker agent is installed on the Linux machine before running the command.

  1. Verify Permissions

The command requires elevated privileges. Run the command with sudo or as root.

  1. Confirm the CLI Option Exists

Run:

sudo threatlockerctl --help

Confirm that the following option appears in the help output:

--real-time-ua {enable|disable} [all]
  1. Check Network Connectivity

Ensure the Linux machine can communicate with ThreatLocker services.

Was this article helpful?